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TN THE UNITED STATES PATENT & TRADEMARK OFFICE 

IN RE APPLICATION OF: : 

PATRICE TOILLON ET AL. : ATTN: APPLICATION DIVISION 

SERIAL NO: 10/049,647 : 
FILED: February 25, 2002 

FOR: DEVICE FOR SECURELY 

MONITORING DATA SWITCHING 

PRELIMINARY AMENDMENT 

ASSISTANT COMMISSIONER FOR PATENTS 
WASHINGTON, D.C. 20231 

SIR: 

Prior to a first examination on the merits, please amend the above-identified 
application as follows: 



TN THE CLAIMS 
Please cancel Claims 1-32 without prejudice. 
Please add new Claims 33-66 as follows: 

33. (New) Monitoring device for a multichannel numeric switch, the switch 
including a connecting interface for connecting physical connection circuits to a transmission 
medium, defining at least one of source and destination ports, and a processing unit for 
carrying out selective switching of multifield data grids between the different ports, 
comprising: 
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a probe unit coupled selectively to the connecting interface; and 

a monitoring unit configured to analyze contents of at least part of the data grids 

probed by the probe unit, and configured to generate a warning signal when the part analyzed 

does not meet a selected condition. 

34. (New) Device according to claim 33, wherein the monitoring unit is further 
configured to analyze contents of at least part of a field of the data grids probed by the probe 
unit. 

35. (New) Device according to claim 34, wherein the monitoring unit is further 
configured to analyze contents of at least part of a field of each grid probed by the probe unit. 

36. (New) Device according to claim 33, wherein the probe unit is configured to 
probe grids including at least one of a logic channel field, one physical channel field, and a 
data field. 

37. (New) Device according to claim 33, wherein the probe unit is configured to 
probe grids including at least one of a grid start field, a destination port address field, a 
source port address field, and a data field. 

38. (New) Device according to claim 33, wherein the probe unit is configured to 
probe grids including at least one of a virtual path identifier field, a virtual channel identifier 
field, a payload type field, and a data field. 

39. (New) Device according to claim 36, wherein the monitoring unit comprises a 
table of correspondence specifying for each port connected to the connection circuits a list of 
authorized grids comprising at least the ports with which the respective port can exchange the 
grids, and wherein the monitoring unit is further configured to compare contents of this table 
of correspondence to that of at least one of the fields of the grid being transferred, to generate 
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the warning signal when its field or fields analyzed designate a port that does not have a 
correspondence with the source port transmitting the grid, this correspondence forming a 
chosen condition. 

40. (New) Device according to claim 37, wherein the monitoring unit comprises a 
table of correspondence specifying for each port connected to the connection circuits a list of 
authorized grids comprising at least the ports with which the respective port can exchange the 
grids, and wherein the monitoring unit is further configured to compare contents of this table 
of correspondence to that of at least one of the fields of the grid being transferred, to generate 
the warning signal when its field or fields analyzed designate a port that does not have a 
correspondence with the source port transmitting the grid, this correspondence forming a 
chosen condition. 

41. (New) Device according to claim 38, wherein the monitoring unit comprises a 
table of correspondence specifying for each port connected to the connection circuits a list of 
authorized grids comprising at least the ports with which the respective port can exchange the 
grids, and wherein the monitoring unit is further configured to compare contents of this table 
of correspondence to that of at least one of the fields of the grid being transferred, to generate 
the warning signal when its field or fields analyzed designate a port that does not have a 
correspondence with the source port transmitting the grid, this correspondence forming a 
chosen condition. 

42. (New) Switch according to claim 39, wherein the analyzed field or fields is or 
are chosen from at least the logic channel field and the physical channel field. 
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43. (New) Switch according to claim 40, wherein the analyzed field or fields is or 
are chosen from at least the destination port address field of the grid and the source port 
address field of the grid. 

44. (New) Switch according to claim 41, wherein the analyzed field or fields is or 
are chosen from at least the virtual path identifier field and the virtual channel identifier field. 

45. (New) Switch according to claim 39, wherein the table of correspondence 
includes for each source or destination port at least one list of associated destination 
addresses, a list of associated source addresses, a list of grid flux types authorized on the 
port, accompanied by temporal features of each of the fluxes, and a list of the grid lengths 
authorized to circulate on the port. 

46. (New) Switch according to claim 45, wherein the table of correspondence is 
stored in a modifiable memory selected from at least a live memory, a flash memory, and an 
assembly of registers each associated with a port and having an individually configurable 
content. 

47. (New) Device according to claim 44, wherein the memory is configured to 
permit access by writing and/or reading for monitoring. 

48. (New) Device according to claim 42, wherein the monitoring unit is configured 
to effect its comparison on the logic channel field, then on the physical channel field. 

49. (New) Device according to claim 43, wherein the monitoring unit is configured 
to effect its comparison on the destination address field, then on the source address field. 

50. (New) Device according to claim 44, wherein the monitoring unit is configured 
to effect its comparison on the virtual path identifier field, then on the virtual channel 
identifier field. 
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5 1 . (New) Device according to claim 39, wherein the monitoring unit is further 
configured to determine whether contents of the data field of the grid probed by the probe 
unit has a predetermined format, and to generate the warning signal when at least part of the 
data field does not verify the format, this verification of format forming the chosen condition. 

52. (New) Device according to claim 39, wherein the monitoring unit is further 
configured to determine a type of grid probed by the probe unit by analyzing contents of its 
type field, to generate the warning signal when the type field does not correspond to the 
predetermined type associate with the port having transmitted the grid, this verification of 
type forming the chosen condition. 

53. (New) Device according to claim 39, wherein the monitoring unit is further 
configured to measure outputs of grids probed by the probe unit, according to their type, and 
to generate the warning signal when the measured output associated with its type does not 
correspond to a predetermined output, this verification of output forming the chosen 
condition. 

54. (New) Device according to claim 39, wherein the monitoring unit is further 
configured to measure for each source port a temporal distance between grids of a same type 
which it has transmitted, and to generate the warning signal when the temporal distance 
measured associated with its type does not correspond to a predetermined distance, this 
verification of distance forming the chosen condition. 

55. (New) Device according to claim 39, wherein the monitoring unit is further 
configured to measure for each destination port a temporal distance between grids of a same 
type that it has received, and to generate the warning signal when the distance measured 
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associated with its type does not correspond to a predetermined temporal distance, this 
verification of distance forming the chosen condition. 

56. (New) Device according to claim 36, wherein the monitoring unit is further 
configured to measure a length of each grid probed by the probe unit, and to generate the 
warning signal when its measured length does not correspond to a predetermined length 
associated with its type, this verification of length forming the chosen condition. 

57. (New) Device according to claim 36, wherein the monitoring unit is configured 
to make compatible at each port a number of grids that it transmits and a number of grids that 
it receives, so as to estimate for each port a rate of use, and to trigger invalidation of a 
connection between a port and the connection circuits to which it is connected when its 
estimated rate of use does not correspond to a predetermined rate associated with the type of 
grid of this port. 

58. (New) Device according to claim 33, wherein the monitoring unit is configured 
to make compatible each generation of a warning signal associated with each port and to 
trigger invalidation of the connection between a port and to trigger invalidation of the 
connection between a port and the connection circuits when a number of warning signals 
generated made compatible for this port is higher than a threshold. 

59. (New) Device according to claim 33, wherein the monitoring unit is configured 
to make compatible each warning signal generated associated with each port and to trigger 
rejection by the processing unit of the grid seen by the probe unit, when a number of warning 
signals generated made compatible for a port is higher than a threshold. 

60. (New) Device according to claim 33, wherein the monitoring unit is configured 
to make compatible each warning signal generated associated with each port and to trigger 
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rejection by the processing unit of the grid probed by the probe unit, when a number of 
warning signals generated made compatible for a port is higher than a threshold. 

61. (New) Device according to claim 33, wherein the monitoring unit is configured, 
upon the transmission of a warning signal, to trigger rejection of the grid probed by the probe 
unit. 

62. (New) Device according to claim 33, wherein the monitoring unit is configured, 
upon transmission of a warning signal, to trigger the processing unit to reject the grid probed 
by the probe unit. 

63. (New) Device according to claim 61, wherein the monitoring unit is configured 
to make compatible each rejection associated with each port and to trigger invalidation of the 
connection between a selected port and the connecting circuits when a number of rejections 
made compatible for the selected port is higher than a threshold. 

64. (New) Switch, comprising a device according to claim 33. 

65. (New) Communication installation, comprising at least one switch equipped with 
at least one device according to claim 33, the ports of the switch being connected to machines 
and computers. 

66. (New) Installation according to claim 65, wherein it is implanted in an airship 
comprising a flight management computer and a flight control computer. 

IN THE ABSTRACT 
Please add the following new Abstract on a separate sheet: 
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ABSTRACT 

A multichannel digital switching unit including a connection interface between 
circuits that provides the physical links to a transmitting environment defining the ports and a 
processing unit that switches multi-field data frames between the different ports. A frame 
monitoring device include a probe module that is selectively linked to the connection 
interface and a surveillance module that analyzes contents of at least a part of each data 
frame processed by the probe and generates a warning signal when the part that is analyzed 
fails to fulfil a chosen criterion. 
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REMARKS 

Favorable consideration of this application, as presently amended, is respectfully 
requested. 

The present preliminary amended is submitted to place the above-identified 
application in more proper format under United States practice. 

By the present preliminary amendment original Claims 1-32 are canceled and new 
Claims 33-66 are presented for examination. New Claims 33-66 are deemed to be self- 
evident from the original disclosure, including original Claims 1-32, and thus are not deemed 
to raise any issues of new matter. Further, new Claims 33-66 are not believed to be more 
narrow in scope in any aspect in comparison with original Claims 1-32. 

An Abstract is also submitted herein. 

The present application is believed to be in condition for a full and thorough 
examination on the merits. An early and favorable consideration of the present application is 
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hereby respectflilly requested. 



Respectfully submitted, 



OBLON, SPIVAK, McCLELLAND, 
MATER & NEUSTADT, P.C. 




Gregory J. Maier 
Attorney of Record 
Registration No. 25,599 
Surinder Sachar 
Registration No. 34,423 
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IN THE CLAIMS 

--Claims 1-32 (Canceled). 
Claims 33-66 (New). 

IN THE ABSTRACT OF THE DISCLOSURE 
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Device for securely monitoring data switching 



The invention relates to the field of switching data grids (or cells), and in particular 
monitoring devices for a multichannel numeric switch. 

The word "grid" is to be taken in its widest sense here, in that it designates all types of 
messages formed of a multiplicity of fields sequenced according to predetermined 
formats. In the same way, the word "data" is to be taken in its widest sense, in that it 
designates all data contained in a message, including the data relating to the message 
transmitter (or source), the destination(s) of this message, or even the type of 
message. 

Such switches conventionally comprise physical connection circuits, generally 
referred to as the "physical layer", connected to a transmission medium which defines 
the source (or input) communication ports and/or destination (or output) 
communication ports, to which articles of IT hardware (or machines) are connected. 
They also comprise a processing unit, generally referred to as the "logic layer", and a 
connecting interface between the processing unit and the connecting circuits, for each 
of the ports, selectively. The processing unit ensures numeric switching of multifield 
data grids between the different ports, i.e. between a source port and at least one 
destination port. 

These switches therefore form part of a communication installation in which 
independent physical links permit separation of the data in a manner known as 
"segmented" and not "diffused". 

In order to ensure good functioning of such an installation the data received by one 
(or more) destination machine(s) (which will be likened hereinafter to the destination 
or output communication port to which it is "attached") must be substantially identical 
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to those transmitted by the source machine (which will be likened hereinafter to the 
source or input communication port to which it is "attached"). 

Due to the complexity of the various connections, the very nature of the transmission 
media, and the conditions in which the grid exchanges take place, it frequently 
happens that certain grids deteriorate during their transfer from the source machine to 
the destination machine. This is particularly so with "COTS"-type switches, which 
are very widely used in information technology and telecommunications, due in 
particular to their low cost and the virtually universal format of the grids. 

This disadvantage makes switches of the above-mentioned type difficult to use, 
indeed even unusable, in certain fields of application where the protection of the data 
is of great importance. This is the case in avionics where the management and control 
of flight is concerned. 

Moreover, it is important that breakdowns and/or loss of functioning are treated. 

The object of the present invention is therefore to procure a monitoring device for a 
multichannel numeric switch intended to improve the situation mentioned above, 
particularly where security is concerned. 

It proposes to this end a device of the type described in the introduction, wherein a 
probe unit coupled selectively to the connecting interface is provided, together with a 
monitoring unit capable of analysing the content of at least part of every grid (or cell) 
of data seen by the probe unit, and to generate a warning signal when the analysed 
part does not meet a selected condition. 

It is thus possible to access, in a non-intrusive and selective manner, and on each of 
the ports being monitored (not necessarily all), every part of each grid in the process 
of switching in the switch, so as to monitor the coherence of the content of that grid. 
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In a currently preferred embodiment, the monitoring unit is so conceived as to trigger 
the processing unit, by means of the warning signal, to reject the grid seen by the 
probe unit. In this manner, every grid having an incoherence, of whatever type, is 
rejected: in other words, it is not presented to the output of the switch. 

In a modification of this embodiment, the monitoring unit is so conceived as to trigger 
itself, with the warning signal, rejection of the grid seen by the probe unit. This saves 
time. 

In another modification, the monitoring unit is so conceived as to make compatible 
the warning signals associated with each port, and to trigger rejection, either by itself, 
or by the processing unit, of the grid seen by the probe unit, when the number of 
warning signals made compatible for one port is higher than a certain threshold. 

Conversely, the monitoring unit can be so adapted as to make compatible each 
rejection associated with each port being monitored and to trigger invalidation of the 
connection between a port and the connection circuits when the number of rejections 
made compatible for this port is higher than a certain threshold. Obviously, such 
invalidation is preferably temporary, so that once the problem has been resolved at the 
faulty port, this can be used again for transmission and/or reception (or validated). 

The invention applies particularly, but not in a limiting way, to switches equipped 
with interfaces adapted to the standard formats of multifield grids selected from 
ETHERNET, ATM and HIGH-SPEED LINK. 

Furthermore, the invention also relates to switches equipped with a monitoring device 
of the type described above, as well as communication installations which comprise 
one or more switch(es) equipped with such a device. It applies particularly to 
communication installations used in avionics for managing and controlling flight. 



Further features and advantages of the invention will appear from the detailed 
description below and from the attached drawings, in which: 

Figure 1 .shows diagrammatically and in a simplified form a switch equipped with a 
monitoring device according to the invention; 

Figure 2 details diagrammatically a monitoring device according to the invention; 

Figure 3 is a diagram illustrating a grid with the ETHERNET format; 

Figure 4 is a block circuit diagram illustrating a processing mode of a grid having 
ETHERNET format; and 

Figure 5 illustrates diagrammatically an installation having two switches equipped 
with a monitoring device according to the invention. 

The attached drawings comprise elements of a certain character which it is difficult to 
define fully by the text. Consequently, they may contribute to the definition of the 
invention. 

The invention relates to a device for monitoring messages or grids, or even cells, in 
the process of switching in a multichannel numeric switch. 

Such a switch is intended to receive messages transmitted by machines (or more 
generally information technology hardware) according to a predetermined format with 
a view to switching them towards one or more other machines. The machine that 
transmits a message is called the source machine, whereas the machine that is the 
destination of a message is called the destination machine. Obviously, one and the 
same machine can be source and/or destination by turns or simultaneously. 
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As is illustrated in Figures 1 and 2, each machine E-i (here i = 1 to 4) is connected to 
the switch by the bias of a transmission medium 1 , which may be a cable or optic 
fibre, or even the ether when the messages are transmitted via waves. This 
transmission medium may be mono- or bi-directional. 

The end of the transmission medium 1, which is opposed to the machine E-i, is 
connected to physical connecting circuits 2, which form a physical interface or 
physical layer. The place where the connection is made between the physical layer 2 
and the various transmission media is conventionally called port 3. In the switch, 
each port 3 is associated with a port identification which may be used either as a 
source (or input) port local address, or as a destination (or output) port local address, 
according to whether the machine to which this port is connected transmits the 
message (or data grid) or is the destination thereof. 

On the physical layer 2 (or physical connection circuits), the ports 3 are installed in 
series (see Figure 1). 

In a conventional switch (i.e. from the prior art), the switching of a grid arriving at a 
port 3 of the physical layer 2 is effected by a processing unit 4, which is called the 
logic layer, or again a switching logic interface. 

The logic layer 4 is connected to the physical layer 2 via a connecting interface 5. 

In fact, as is illustrated in Figure 2, in the ETHERNET or ATM-type switches, the 
physical layer 2 comprises a large number of transmitters/receivers 7-i comprising an 
analogue input 8-i, an analogue output 9-i, a numeric output 10-i and a numeric input 
1 1-i. In the example shown in Figure 2, the switch being of the "4x4" type, the 
variable i assumes values of between 1 and 4. 



Furthermore, in these switches, the processing unit 4 (or logic layer) is composed of a 
large number of switching elements 1 2-i associated respectively with a 
transmitter/receiver 7-i. The connecting interface 5 can therefore be subdivided into 
bi-directional (5-i) parts, each permitting connection of the numeric output 10-i of a 
transmitter/receiver 7-i to the numeric input 13-i of a switching element 12-i, and of 
the numeric output 14-i of the switching element 12-i to the numeric input 1 1-i of the 

r 

transmitter/receiver 7-i. 

The various switching elements 1 2-i of the logic layer 4 are interconnected so that 
upon reception of a grid at the numeric input 13-i of one of them, this grid can be 
transmitted to one (or more) of these switching elements 12-j, associated with the 
transmitter/receiver(s) 7-j which supplies/supply the port(s) 3-j designated via the 
destination field address contained in the grid to be switched. 

The physical connection circuits 2 are called the physical layer 2 because they receive 
analogue data from the ports 3-i and transmit numeric data to the processing unit 4, 
via the connecting interface. The processing unit 4 is called the logic layer because it 
receives, processes and transmits numeric data. 

The grids which are exchanged in such a switch have a particular format known as 
'multifield*, of the type illustrated in Figure 3 (ETHERNET format). 

Such a multifield grid comprises, at least, a grid start field, a destination address field, 
a source address field and a data field. In a communication installation, these 
different fields are always sequenced in the same manner. 

A certain number of standard formats use multifield grids of the type described above, 
with or without complementary field(s). One might cite for example standard formats 
of the ETHERNET, ATM and HIGH-SPEED LINK (HS LINK) types. 
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Many manufacturers market switches capable of operating according to the above- 
mentioned formats. One can cite for example ETHERNET switches by the firms 
CISCO, 3COM, INTEL, IBM, HEWLETT PACKARD, D-LINK etc. As these 
switches are very widespread in the market, there is no need to describe them here. 
Those that belong to the category known as "COTS" (for "Commercial of the 
Shelves", i.e. "component widely used commercially") have the advantage of 
processing grids whose format is universally used, unlike other specific formats, such 
as that of the ARINC standard (429 or 629). 

By way of example, one might use an ETHERNET connecting interface of the type 
"medium independent interface" (Mil) or its improvements such as, for example, 
RMII (Reduce Mil), or a UTOPIA-type ATM connecting interface. 

Whatever the format of the communication installation, a grid arrives by a source port 
3-i, is transferred to the transmitter/receiver 7-i of the physical layer 2, borrows the 
part 5-i of the connecting interface 5 which is connected to the transmitter/receiver 7-i 
in order to reach the switching element 12-i of the logic layer 4. There its destination 
address field is analysed so as to determine the corresponding destination port 3-j. 
The grid is therefore communicated to the switching element 12-j, then to the 
transmitter/receiver 7-j via the part 5-j of the connecting interface, in order to be 
transmitted by the port 3-j. 

As was indicated in the introduction, it frequently occurs that switching grids 
deteriorate before arriving at the switch, or even that the switch causes the grids 
received to deteriorate during switching. 

The object of the invention is to improve the situation, and to this end the invention 
proposes a device for monitoring the coherence of data grids which are switched in a 
multichannel numeric switch between a source port and one or more destination ports. 



Such a device first comprises a probe unit 6 capable of observing during broadcast on 
the connecting interface 5 the data grids which are in transit between the physical 
layer 2 and the logic layer 4. Hereinafter, a transmission from the physical layer 2 
towards the logic layer 4 will be referred to as 'rising', and transmission from the logic 
layer 4 towards the physical layer 2 as 'falling'. 

The Applicant has found in fact that it was particularly advantageous to observe the 
rising and/or falling grids on the various parts 5-i of the connecting interface. This is 
because the data circulating on this interface 5 are numeric and totally representative, 
being identical thereto, of the data of the grids to be switched. 

The probe unit 6 according to the invention observes each part 5-i of the connecting 
interface which connects a switching element 12-i to a transmitter/receiver 7-i. In the 
example shown, this observation is effected on each rising part 5-iM and on each 
falling part 5-iD. Obviously, one could carry out observations only on one or more 
rising parts, or only on one or more falling parts, or even on certain rising parts and 
certain falling parts. 

It is therefore possible to observe the grids selectively. 

In the example in Figure 2, each rising part 5-iM of the connecting interface is 
observed independently of the other rising parts by a probe sub-unit 6-iM ? and each 
falling part 5-iD of the connecting interface is observed independently of the other 
falling parts by a probe sub-unit 6-iD. This ensures the independence of the 
observations carried out on the rising part from those carried out on the falling part. 
Each probe sub-unit can be realised as a connection. 

Each probe sub-unit 6-iM supplies a rising monitoring sub-unit 15-iM, and each probe 
sub-unit 6-iD feeds a falling monitoring sub-unit 15-iD. 



These different monitoring sub-units 15-i together form a monitoring unit 15. 
However, it is preferable, but not indispensable that the probe sub-units 15-iM and 
15-iD physically form one and the same sub-unit 15-i in the sense that they manage 
one and the same port 3-i. 

Each rising 15-iM and falling monitoring sub-unit 15-iD is conceived to analyse at 
least part of a field of the grid being observed which circulates on the part of the 
connecting interface 5 concerned. Consequently, each monitoring sub-unit 1 5-i, 
rising or falling, is capable of recognising from the fields transmitted thereto by the 
associated probe sub-unit 6-i the field or fields which it must analyse. Preferably, 
each monitoring sub-unit 15-i is configured (or programmed) so as to analyse 
successively, i.e. as they are transferred from a transmitter/receiver 7-i to an 
associated switching element 12-i, or reciprocally, plural fields of one and the same 
grid, and in particular the destination address field, the source field address and the 
grid type field. 

The various monitoring sub-units 15-i, whether rising or falling, can have different 
configurations according to the type of machine whose switching they monitor in a 
selective manner. Thus, local monitoring units are formed which are adapted to the 
needs of each port 3-i. 

Management of the configuration of each sub-unit 15-i is carried out, preferably, by a 
part of the device according to the invention coupled to the monitoring unit 15. This 
part, which is known as the monitoring unit 16, receives and transmits numeric "data" 
to the different monitoring sub-units 15-i via a (rising) connection 17M or a (falling) 
connection 17D. 

As will be seen below, the monitoring unit 16 carries out preferably other tasks than 
the management of the sub-modules' configuration. 
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In order to describe the monitoring mechanism carried out by a monitoring device 
according to the invention, Figure 3 and 4 will now be referred to. 

Figure 3 shows a grid with the ETHERNET format. As indicated above, it comprises 
a grid start field, then a destination address field (also known as MAC destination 
address), then a source address field (also known as MAC source address), then a grid 
type field. It then comprises a data field and a CRC field (English acronym standing 
for Cyclic Redundancy Check). 

The fields of a multifield grid are transmitted one by one in the order indicated above 
when the grid is transferred from the physical layer 2 to the logic layer 4, and vice 
versa. It is therefore possible to analyse the content of at least part of one or more 
fields which follow one another in order to verify the coherence of the grid (or cell). 

Obviously the grids which have formats other than ETHERNET will not have exactly 
the same configuration as that shown in Figure 3. For example, in the ATM format, 
after the grid start, the first field is a field known as "Virtual Path Identifier", the 
second field is a field known as "Virtual Channel Identifier", and the third field is a 
field known as "Payload Type". Thereafter is a field of priority and monitoring, and a 
data field. 

In a more general manner, a grid may comprise at least one or more so-called physical 
fields which designate one or more physical "channels", such as a source port or a 
destination port, one or more fields known as logic fields, which designate one or 
more logic "channels" such as a flux, and a data field. 

As is illustrated in Figure 4, in the case of a grid of ETHERNET format being 
transferred from the transmitter/receiver 7-1 to the associated switching element 12-1, 
the rising part 6-lM of the probe unit, which is connected to the rising part 5-1M of the 
connecting interface, transmits as soon as it observes the same the grid start field to 



1 1 



the monitoring sub-unit 1 5-1M. This sub-unit is thus warned that it will have to 
analyse a rising data grid. This forms the stage 100, which will be discussed below in 
the context of a dynamic analysis of the grids. 

As soon as the second destination address field is observed (and therefore 
reconstituted) by the rising part 6-1M of the probe unit, it is transmitted to the 
monitoring sub-unit 15-1M in order to be analysed in a stage 110. 

This analysis is intended to check whether the address of the destination of the grid 
corresponds to one of the ports 3-i. managed by the switch. To this end, the 
monitoring unit 1 5 comprises a memory 1 8 in which is found stored a table of 
correspondence between each port 3-i of the switch and the destination addresses 
authorised for this port. By a juxtaposition between the data contained in the field and 
those contained in the table of correspondence, one can check instantly the grid-port 
coherence, i.e. give or refuse authority to communicate with the port designated by 
the destination address. 

The table of correspondence can be shared by all the monitoring sub-units 15-i, but 
may also, as is illustrated in Figure 2, be subdivided into plural (i) parts associated 
respectively with the different ports. In this case, each monitoring sub-unit 15-i. 
comprises a modifiable memory 1 8-i, such as a live memory, a bank of registers each 
associated with a port and having an individually configurable content, or, even 
better, a flash-type memory, which contains the list of grids (messages, cells) 
authorised for each port 3-j. The expression 'list of grids' must be taken in a wide 
sense. It includes for each port all the ports with which it can exchange grids, the 
different types of grids authorised, the lengths of grid according to the type of flux, 
etc.. 

Preferably, the modifiable memory 1 8 can be accessed for reading and/or writing so 
as to permit monitoring of its content. 
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If the address is incoherent, the monitoring sub-unit 15-1M transmits, in this 
embodiment, to the monitoring unit 16, via the connection 17M, a warning signal 
indicating an incoherence in the address of the destination port. 

Two embodiments can be considered possible at this stage. In a first embodiment, 
upon receipt of the warning signal, the monitoring unit 16 will address to the 
switching element 12-1 a signal ordering it not to transfer the grid being transferred. 
This therefore brings about rejection of the grid. 

In a second embodiment, each monitoring sub-unit 15-iM acts directly on the 
switching element 12-i associated therewith, without the need to pass through the 
monitoring unit 16. To this end it comprises an output 19M which is connected to the 
switching element 12-i in order to send thereto the warning signal intended to trigger 
rejection of the grid being transferred. However, the monitoring unit 16 is preferably 
warned by each monitoring sub-unit 15-i. or by each switching element 12-i., of each 
rejection associated with each port, so as to make compatible for each port, whether 
source or destination, the number of grid rejections of which it is the object. 

The rejections (or warning signals) may be made compatible for both above- 
mentioned embodiments. The monitoring unit 16 may thus, when the number of 
rejections associated with a port 3-i exceeds a selected threshold, e.g. six, decide to 
invalidate this port 3-i. To this end, the monitoring unit 16 is connected by a 
connection 20 to the physical layer 2, and preferably to each of its 
transmitters/receivers 7-i. 

Obviously, different invalidation thresholds can be considered for different ports, 
according to need, and in particular according to the degree of security required at 
each port. 
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It is conceivable that the monitoring unit 16 have the option of forcing the switching 
of a grid, even when a monitoring sub-unit 15-i. has triggered rejection of the grid in 
the associated switching element 12-i. 

For processing descending grids, there is provided, instead of the connection 17M, a 
connection 17D between each monitoring sub-unit 15iD and the monitoring unit 16, 
in order to transmit the warning signal intended to trigger rejection of a descending 
grid being transferred. Obviously, as indicated above, each monitoring sub-unit 15-iD 
could act directly on the transmitter/receiver 7-i. associated therewith, without the 
need to pass through the monitoring unit 16. It comprises in this case an output 19D 
connected to the transmitter/receiver 7-i. in order to send thereto the warning signal 
intended to trigger rejection of the grid being transferred. Nevertheless, when a 
monitoring unit 16 is provided, it is warned preferably by each monitoring sub-unit 
15-i. (e.g. via the connection 17) or by each transmitter/receiver 7-i. (e.g. by the 
connection 20 which is in this case bi-directional), of each rejection associated with 
each port, so as to make compatible for each port, whether source or destination, the 
number of grid rejections of which it is the object. 

In a modification, a mode of grid rejection is conceivable which operates by making 
warning signals compatible. In this case, the monitoring unit 16 makes compatible 
for each port 3-i the warning signals (or incoherence signals) which are supplied by 
the monitoring sub-units 15-iM and 15-iD, so that only an incoherent grid arriving 
after N preceding incoherent grids is rejected. N designates here a threshold number 
which may be each, for example, to four or five. Obviously, each monitoring sub-unit 
15-i. could carry out this operation of making warning signals compatible for its port 
3-i instead of the monitoring unit 16. 

If the result of the analysis carried out in stage 110 does not indicate any incoherence, 
one moves on to the stage 120 in which the monitoring sub-unit 15-IM proceeds to 
analysis of the address field of the source port which has just been observed (and 
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therefore reconstituted) by the probe unit 6M on the rising part 5M of the connecting 
interface. 

As for the preceding field, a comparison is to be carried out between the source port 
address contained in the grid being transferred and the addresses of ports which are 
contained in the table of correspondence 18 (or 18-1). 

As above, if an incoherence is detected, a warning signal is transmitted by the 
monitoring sub-unit 15-1M in the direction of the monitoring unit 16 and/or the 
switching element 12-1 (by the connection 19M), according to the embodiment 
concerned. This will have the effect either of triggering rejection of the grid being 
transferred, or of incrementing by one unit of value the variable of matching of the 
warning signals (in the case of a statistical analysis). 

If incoherence is not detected, one moves on to a stage 130, in which the monitoring 
sub-unit 15-1M proceeds to analysis of the grid type field, which is supplied by the 
probe unit 6M after its observation on the rising part 5M of the connecting interface. 

This grid type analysis consists in checking whether the type contained in the field 
observed is part of a list of types which is memorised, e.g. in the memory 18 (or 18-i). 
Obviously, in a modification, instead of a list of types of grid, one may only provide a 
single type associated with each port. 

When the type of grids does not correspond to that or those stored, a warning signal 
may be transmitted by the monitoring sub-unit 15-1M with a view either to immediate 
rejection or possible rejection (in the statistical case). 

If there is no incoherence, the monitoring sub-unit 15-1M will proceed to an analysis 
which one might call 'dynamic' as opposed to analyses carried out at stages 100 to 
130, which are rather of the 'static' type. 
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A data grid is not generally isolated inside a communication installation. It belongs to 
a flux of data which may be specific or non-specific. By way of example, in the field 
of avionics, there are at least three different levels of flux associated respectively with 
very high-level priority data, such as periodic (critical) data, high-level priority data, 
such as urgent aperiodic data, and low-level priority data, such as urgent non-periodic 
data. 

One may thus authorise one or more different fluxes associated with different types of 
grid by means of the monitoring unit 16 in each monitoring sub-unit 15-iM and 15-iD. 

In a stage 140, one or more measurements are carried out which bear on the flux 
associated with the type of grid detected at stage 1 30. It may be, for example, a 
measurement of the rate of global use per unit time, or per pre-determined cycle, of 
the port being considered (here the port 3-1). It might be a measurement for each type 
of flux identified of the length of the grid per flux. It might also be a measurement of 
the temporal distance between grids. 

Some of these dynamic analyses of grids, in particular the two last ones, use the grid 
start field for their measurements, which is determined in stage 100. 

The measurement of temporal distance separating two consecutive grid starts might 
rest on the acquisition, upon each reception of a grid start, of the current time 
managed by each monitoring sub-unit 15-iM and 15-iD and the comparison with the 
expected time for a grid of the same type. 

The analysis carried out in the stage 140 therefore consists, in the rising direction, of 
monitoring the capacity of the source machine (or possibly of another upstream 
switch) to generate grids which are compatible (or coherent), in terms of the quantity 
of data and the quality of flux, with the port to which it is connected. In the falling 
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direction, the analysis consists of monitoring the capacity of the processing unit 4 (or 
logic layer) to return correctly fluxes of data to one or more destination ports. 

In general, the entirety of analyses carried out in the rising direction, on each port, 
consists in admission monitoring, whereas the entirety of analyses carried out in the 
falling direction, still on each port, consists of return monitoring. 

Although the fields are transmitted as they are observed, i.e. during their transfer from 
one layer to another, it is possible to conceive a parallel field analysis, in particular 
when one of the analyses requires a longer analysis time than that necessary to 
analysis of the next field. 

Furthermore, one might also conceive of only analysing part of a field, and not the 
whole field. This might be the case in particular when analysing the data field. One 
can conceive of placing in this data field a specific datum which, when it has a value 
which is different from one or more predetermined values, or even if it is not present 
at all, triggers a warning signal. 

Nevertheless, analysis of part of the data field has some risks in that the analysis must 
be finished before the grid being transferred has been completely transmitted either to 
the logic layer, in the case of a rising grid, or to the physical layer, in the case of a 
falling grid. 

In the above, multiple analysis was described. But obviously, it is possible to carry 
out single analysis, which is either static, i.e. relating to the address field of the 
destination port or the address field of the source field, or the grid type field, that is a 
purely dynamic analysis, i.e. relating to the flux associated with the type of grid. 

In summary, the monitoring mechanism implemented by the monitoring device 
according to the invention comprises four successive stages, a first stage of 
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observation, a second stage of detection, a third stage of action, and a fourth stage of 
fault containment. 

As is shown in Figure 5, the data grids arriving at the ports of a first switch do not 
necessarily originate from a machine such as a computer or sensor. In fact, they may 
come from any type of IT hardware operating according to the format of the switch 
equipped with the device according to the invention, in particular with the destination 
port of another switch. In the same way, the destination port of a first switch may be 
connected by a transmission means to the source port of a second switch. It is 
important to note that one of the two switches may not be equipped with a device 
according to the invention. 

The device according to the invention comprises, preferably, a purely hardware part, 
consisting in particular of the probe unit and the storage memory for data specific to 
the analyses (such as the list of authorised addresses, the list of master templates or 
authorised fluxes), and of a purely software part, preferably reprogrammable, for the 
rest. The monitoring device according to the invention might therefore be 
manufactured in the form, for example, of an ASIC coupled to a modifiable memory 
(live or flash), or of an ASIC with a bank of registers; an ASIC capable of ensuring 
monitoring or one or more ports. 

By virtue of the invention, it is possible to effect monitoring/detection in real time, 
which makes it possible to act on the current grid (principle of "fault containment"). 
Moreover, the performance of the switch is not impaired, since the 
monitoring/detection is carried out in parallel. Finally, this invention makes it 
possible to obtain very low non-detected error rates, as there is total dissociation of 
the implementation of the principle (monitoring mechanism) relative to the object 
being monitored, i.e. between the transfer and the switching of data; in other words, 
there is no link between monitoring and transfer. 
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The invention is not limited to the embodiments described above, but covers all 
modifications which might be developed by the person skilled in the art in the context 
of the claims below. 

Thus embodiments have been described in which each port of the switch is monitored 
by the device according to the invention. However, one may conceive that only some 
of the ports are monitored, e.g. only the input (source) ports or only the output 
(destination) ports, or any combination of input/output ports. 

The invention further covers switches equipped with a device according to the 
invention, as well as communication installations equipped with one or more switches 
equipped with a device according to the invention. 

Furthermore, the invention has been described with reference to the analysis of grids 
with ETHERNET format. But the invention relates to other types of grid, such as 
those of the ATM type, or those comprising more generally physical and/or logic 
fields or channels. In these embodiments, the unit will therefore be actuated so as to 
see one or more of their respective fields and the monitoring unit will effect its 
comparison preferably on the Virtual Path Identifier field, then on the Virtual Channel 
Identifier field, and on the logic channel field, then on the physical channel field 
respectively. 
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Claims 

1 . Monitoring device for multichannel numeric switch, the switch comprising an 
interface (5) for connecting physical connection circuits (2, 7) to a transmission 
medium (1), defining source and/or destination ports (3), and a processing unit (4, 12) 
for carrying out the selective switching of multifield data grids between these 
different ports, characterised in that it comprises a probe unit (6) coupled selectively 
to the connecting interface (5), and a monitoring unit (15) capable of analysing the 
content of at least part of the data grids seen by the probe unit (6), and of generating a 
warning signal when the part analysed does not meet a selected condition. 

2. Device according to claim 1, characterised in that the monitoring unit (15) is 
contrived to analyse the content of at least part of a field of each grid seen by the 
probe unit (6). 

3. Device according to claim 2, characterised in that the monitoring unit (15) is 
contrived to analyse the content of at least part of a field of each grid seen by the 
probe unit (6). 

4. Device according to one of claims 1 to 3, characterised in that the probe unit (6) is 
contrived to see grids comprising at least one logic channel field, one physical 
channel field and a data field. 

5. Device according to one of claims 1 to 3, characterised in that the probe unit (6) is 
contrived to see grids comprising at least one grid start field, a destination port 
address field, a source port address field, and a data field. 

6. Device according to one of claims 1 to 3, characterised in that the probe unit (6) is 
contrived to see grids comprising at least one field known as 'Virtual Path Identifier', a 
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field known as 'Virtual Channel Identifier 1 , a field known as Tayload Type', and a 
data field. 

7. Device according to one of claims 4 to 6, characterised in that the monitoring unit 
(15) comprises a table of correspondence specifying for each port (3) connected to the 
connecting circuits (2, 7) a list of authorised grids comprising at least the ports (3) 
with which it can exchange the grids, and in that the monitoring unit (15) is contrived 
to compare the content of this table of correspondence to that of at least one of the 
fields of the grid being transferred, in order to generate the warning signal when its 
field or fields analysed designate a port which does not have a correspondence with 
the source port transmitting the grid, this correspondence forming the aforementioned 
chosen condition. 

8. Switch according to claim 7 in combination with claim 4, characterised in that the 
analysed grid field(s) is/are chosen from at least the logic channel field and the 
physical channel field. 

9. Switch according to claim 7 in combination with claim 5, characterised in that the 
analysed grid field(s) is/are chosen from at least the destination port address field of 
the grid and the source port address field of this grid. 

10. Switch according to claim 7 in combination with claim 6, characterised in that 
that the analysed grid field(s) is/are chosen from at least the Virtual Path Identifier 
field and the Virtual Channel Identifier field. 

1 1 . Switch according to one of claims 7 to 10, characterised in that the table of 
correspondence comprises for each source or destination port at least one list of 
associated destination addresses, a list of associated source addresses, a list of grid 
flux types authorised on the port, accompanied by the temporal features of each of the 
fluxes, and a list of the grid lengths authorised to circulate on the port. 
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12. Switch according to the preceding claim, characterised in that the table of 
correspondence is stored in a modifiable memory (18) selected from at least a live 
memory, a 'flash' -type memory, and an assembly of registers each associated with a 
port and having an individually configurable content. 

13. Device according to claim 12, characterised in that the memory is contrived to 
permit access by writing and/or reading for the purpose of monitoring. 

14. Device according to one of claims 7 to 13 in combination with claim 4, 
characterised in that the monitoring unit (15) is contrived to effect its comparison on 
the logic channel field, then on the physical channel field. 

15. Device according to one of claims 7 to 13 in combination with claim 5, 
characterised in that the monitoring unit (15) is contrived to effect its comparison on 
the destination address field, then on the source address field. 

16. Device according to one of claims 7 to 13 in combination with claim 6, char the 
monitoring unit (15) is contrived to effect its comparison on the Virtual Path Identifier 
field, then on the Virtual Channel Identifier field. 

1 7. Device according to one of claims 4 to 16, characterised in that the monitoring 
unit (1 5) is contrived to determine whether the content of the data field of the grid 
seen by the probe unit (6) has a predetermined format and in order to generate the 
warning signal when at least part of the data field does not verify the format, this 
verification of format forming the aforementioned chosen condition. 

1 8. Device according to one of claims 4 to 17, characterised in that the monitoring 
unit (15) is contrived to determine the type of grid seen by the probe unit (6) by 
analysing the content of its type field, in order to generate the warning signal when 
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the type field does not correspond to the predetermined type associate with the port 
having transmitted the grid, this verification of type forming the aforementioned 
chosen condition. 

19. Device according to one of claims 4 to 18, characterised in that the monitoring 
unit (15) is contrived to measure the output of grids seen by the probe unit (6), 
according to their type, and in order to generate the warning signal when the 
measured output associated with its type does not correspond to a predetermined 
output, this verification of output forming the aforementioned chosen condition. 

20. Device according to one of claims 4 to 19, characterised in that the monitoring 
unit (15) is contrived to measure for each source port the temporal distance between 
the grids of the same type which it has transmitted, and in order to generate the 
warning signal when the distance measured associated with its type does not 
correspond to a predetermined distance, this verification of distance forming the 
aforementioned chosen condition. 

21. Device according to one of claims 4 to 19, characterised in that the monitoring 
unit (15) is contrived to measure for each destination port the temporal distance 
between the grids of the same type that it has received, and in order to generate the 
warning signal when the distance measured associated with its type does not 
correspond to a predetermined distance, this verification of distance forming the 
aforementioned chosen condition. 

22. Device according to one of claims 4 to 21, characterised in that the monitoring 
unit (15) is contrived to measure the length of each grid seen by the probe unit (6), 
and in order to generate the warning signal when its measured length does not 
correspond to a predetermined length associated with its type, this verification of 
length forming the aforementioned chosen condition. 



23. Device according to one of claims 4 to 22, characterised in that the monitoring 
unit (15) is contrived to make compatible at each port the number of grids that it 
transmits and the number of grids that it receives, so as to estimate for each port a rate 
of use, and to trigger invalidation of the connection between a port and the connecting 
circuits (2, 7) to which it is connected when its estimated rate of use does not 
correspond to a predetermined rate associated with the type of grid of this port. 

24. Device according to one of claims 1 to 23, characterised in that the monitoring 
unit (15) is contrived to make compatible each generation of a warning signal 
associated with each port and to trigger invalidation of the connection between a port 
and to trigger invalidation of the connection between a port and the connecting 
circuits when the number of warning signals generated made compatible for this port 
is higher than a threshold. 

25. Device according to one of claims 1 to 24, characterised in that the monitoring 
unit (15) is contrived to make compatible each warning signal generated associated 
with each port and to trigger rejection by the processing unit (4, 12) of the grid seen 
by the probe unit (6), when the number of warning signals generated made compatible 
for a port is higher than a threshold. 

26. Device according to one of claims 1 to 24, characterised in that the monitoring 
unit (15) is contrived to make compatible each warning signal generated associated 
with each port and to trigger rejection by the processing unit (4, 12) of the grid seen 
by the probe unit (6), when the number of warning signals generated made compatible 
for a port is higher than a threshold. 

27. Device according to one of claims 1 to 24, characterised in that the monitoring 
unit (15) is contrived, upon the transmission of a warning signal, to trigger rejection 
of the grid seen by the probe unit (6). 
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28. Device according to one of claims 1 to 24, characterised in that the monitoring 
unit (15) is contrived, upon the transmission of a warning signal, to trigger the 
processing unit to reject the grid seen by the probe unit (6). 

29. Device according to one of claims 27 and 28, characterised in that the monitoring 
unit (15) is contrived to make compatible each rejection associated with each port and 
to trigger invalidation of the connection between a port and the connecting circuits (2, 
7) when the number of rejections made compatible for this port is higher than a 
threshold. 

30. Switch, characterised in that it comprises a device according to one of the 
preceding claims. 

3 1 . Communication installation, characterised in that it comprises at least one switch 
equipped with at least one device according to one of claims 1 to 29, the ports of the 
switch being connected to machines and computers. 

32. Installation according to claim 3 1 , characterised in that it is implanted in an 
airship comprising a flight management computer and a flight control computer. 
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(57) Abstract: A multichannel digital switching unit comprises a connection interface (5) between circuits (2, 7) which provide 
the physical links to a transmitting environment defining the ports (3); and a processing unit (4, 12) which switches multi-field data 
frames between the different ports. A frame monitoring device comprises a probe module (6) which is selectively linked to the 
connection interface (5) and a surveillance module (15-18) which has means for analysing the contents of at least a part of each data 
frame processed by the probe (6) and generating a warning signal when the part that is analysed fails to fulfil a chosen criterion. 
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Declaration and Power of Attorney for Patent Application 
Declaration et Pouvoirs pour Demande de Brevet 

French Language Declaration 



En tant I'inventeur nomme ci-apres, je declare par le 
present acte que: 



As a below named inventor, I hereby declare that: 



Mon domicile, mon adresse postale et ma nationality sont 
ceux figurant ci-dessous a cote de mon nom. 



My residence, mailing address and citizenship are as 
stated next to my name. 



Je crois etre le premier inventeur original et unique (si un 
seul nom est mentionne ci-dessous), ou I'un des premiers 
co-inventeurs onginaux (si plusieurs noms sont mentionnes 
ci-dessous) de I'objet revendique, pour lequel une 
demande de brevet a ete deposee concernant I'mvention 
intitulee 



I believe I am the original, first and sole inventor (if only one 
name is listed below) or an original, first and joint inventor 
(if plural names are listed below) of the subject matter 
which is claimed and for which a patent is sought on the 
invention entitled. 



DEVICE FOR SECURELY MONITORING DATA 
SWITCHING 



et dont la description est fournie ci-joint a moins 



the specification of which 



□ ci-joint 

□ a ete deposee le 



sous le numero de demande des Etats-Unis ou le 
numero de demande international PCT 



et modifiee le 
(le cas echeant).' 



□ is attached hereto. 

M was filed on February 25, 2002 



as United States Application Number or PCT 
International Application Number 



10/049,647 



and was amended on 
(if applicable) 



Je declare par le present acte avoir passe en revue et 
compris le contenu de la description ci-dessus, 
revendications comprises, telles que modifiees par toute 
modification dont il aura ete fait reference ci-dessus. 



I hereby state that I have reviewed and understand the 
contents of the above identified specification, including the 
claims, as amended by any amendment referred to above. 



Je reconnais devoir divulguer toute information pertinente 
a la brevetabilite, comme defini dans le Titre 37, § 1 56 du 
Code federal des reglementations. 



I acknowledge the duty to disclose information which is 
material to patentability as defined in Title 37, Code of 
Federal Regulations, § 1 .56. 
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DOCKET NO.: 219872US2XPCT 

IN THE UNITED STATES PATENT & TRADEMARK OFFICE 

IN RE APPLICATION OF: Patrice TOILLON, et aL 

SERIAL NO.: 10/049,647 

FILING DATE: February 25, 2002 ^ 

FOR: DEVICE FOR SECURELY MONITORING DATA SWITCHING 

DECLARATION OF Patrice TOILLON 

I, Patrice TOILLON, am the first-named inventor of the above-identified application 
which is the national phase of International PCT Application No. PCT/FR00/02360, filed 
August 23, 2000. 

It has been brought to my attention that my last name was spelled incorrectly in the 
International application due to an error in translation- Specifically, my first name was spelled 
"Patrice TOILON. " My true and correct name is Patrice TOILLON, which has been set forth 
on the Declaration, Power of Attorney and Petition filed herewith. 

I declare that all statements made herein of my own knowledge are true and thai all 
statements made on infomiation and belief are believed to be true; and further that these 
statements were made with the knowledge that willful false statements and the like so made arc 
punishable by fine or imprisonment, or both, under Section 1001 of Title 1 8 of the United States 
Code and that such willful false statements may jeopardize the validity of the application or any 
patent issuing thereon. 




Signature: ^^^> ° : ] A Date: $*J(Jf ^ M>\1~ Zoo?^ 

Patrice TOILLON / ^ 

48 7 rue Schnappcr 

F-78100 Saint Germain en Laye, France 



French Language Declaration 



Je revendique par le present acte avoir la priorite etrangere, en 
vertu du Titre 35, § 119(a)-(d) ou § 365(b) du Code des Etats- 
Unis, sur toute demande etrangere de brevet ou certificat 
d'inventeur ou, en vertu du Titre 35, § 365(a) du meme 
Code, sur toute demande Internationale PCT designant au 
moins un pays autre que les Etats-Unis et figurant ci-dessous 
et, en cochant la case, j'ai aussi indique ci-dessous toute 
demande etrangere de brevet, tout certificat d'inventeur ou 
toute demande Internationale PCT ayant une date de depot 
precedant celle de la demande a propos de laquelle une 
priorite est revendiquee. 



Prior Foreign Application(s) 

Demande(s) de brevet anterieure(s) dans un autre pays. 



99/10698 



France 



(Number) 
(Numero) 



(Country) 
(Pays) 



(Number) 
(Numero) 



(Country) 
(Pays) 



Je revendique par le present acte tout benefice, en vertu du 
Titre 35, § 119(e) du Code des Etats-Unis, de toute demande 
de brevet provisoire effectuee aux Etats-Unis et figurant ci- 
dessous. 



I hereby claim foreign priority under Title 35, United States 
Code, § 119 (a)-(d) or 365(b) of any foreign apphcation(s) for 
patent or inventor's certificate, or § 365(a) of any PCT 
International application which designated at least one country 
other than the United States, listed below and have also 
identified below, by checking the box, any foreign application 
for patent or inventor's certificate, or PCT International 
application having a filing date before that of the application on 
which priority is claimed. 



Priority Claimed 
Droit de priorite 
Revendique 



23 August 1999 



(Day/Month/Year Filed) 
(Jour/Mois/Anne de depot) 



(Day/Month/Year Filed) 
(Jour/Mois/Anne de depot) 



Yes 
Oui 

□ 

Yes 
Oui 



□ 

No 
Non 

□ 
No 
Non 



I hereby claim the benefit under Title 35, United States Code, 
§11 9(e) of any United States provisional application(s) listed 
below. 



(Application No.) (Filing Date) 

(N a de demande) (Date de depot) 

Je revendique par le present acte tout benefice, en vertu du 
Titre 35, § 120 du Code des Etats-Unis, de toute demande de 
brevet effectuee aux Etats-Unis, ou en vertu du Titre 35, 
§ 365(c) du meme Code, de toute demande Internationale PCT 
designant les Etats-Unis et figurant ci-dessous et, dans la 
mesure ou I'objet de chacune des revendications de cette 
demande de brevet n'est pas divulgue dans la demande 
anterieure americaine ou internationale PCT, en vertu des 
dispositions du premier paragraphe du Titre 35, § 112 du Code 
des Etats-Unis, je reconnais devoir divulguer toute information 
pertinente a la brevetabilite, comme defmi dans le Titre 37, 
§ 1.56 du Code federal des reglementations, dont j'ai pu 
disposer entre la date de depot de la demande anterieure et la 
date de depot de la demande nationale ou Internationale PCT 
de la presente demande: 

PCT/FR00/O2360 23 August 2000 

(Application No.) (Filing Date) 

(N 2 de demande) (Date de depot) 



(Application No.) (Filing Date) 

(N a de demande) (Date de depot) 

I hereby claim the benefit under Title 35, United States Code, 
§ 120 of any United States application(s), or § 365(c) of any 
PCT International application designating the United States, 
listed below and, insofar as the subject matter of each of the 
claims of this application is not disclosed in the prior United 
States or PCT International application in the manner provided 
by the first paragraph of Title 35, United States Code, § 112, I 
acknowledge the duty to disclose information which is material 
to patentability as defined in Title 37, Code of Federal 
Regulations, § 1 56 which became available between the filing 
date of the prior application and the national or PCT 
International filing date of this application. 



(Status: Patented, Pending, Abandoned) 
(Statut : brevete, en cours d'examen, abandonne) 



(Application No.) (Filing Date) 

(N- de demande) (Date de depot) 

Je declare par le pr6sent acte que toute declaration ci-incluse 
est, a ma connaissance, vendique et que toute declaration 
formulee a partir de renseignements ou de suppositions est 
tenue pour vendique; et de plus, que toutes ces declarations 
ont ete formulees en sachant que toute fausse declaration 
volontaire ou son equivalent est passible d'une amende ou 
d' une incarceration, ou des deux, en vertu de la § 1001 du 
Titre 18 du Code des Etats-Unis, et que de telles declarations 
volontairement fausses nsquent de compromettre la validite de 
la demande de brevet ou du brevet delivre a partir de celle-ci. 



(Status: Patented, Pending, Abandoned) 
(Statut : brevete, en cours d'examen, abandonne) 

I hereby declare that all statements made herein of my own 
knowledge are true and that all statements made on 
information and belief are believed to be true; and further that 
these statements were made with the knowledge that willful 
false statements and the like so made are punishable by fine 
or imprisonment, or both, under Section 1001 of Title 18 of 
the United States Code and that such willful false statements 
may jeopardize the validity of the application or any patent 
issued thereon. 
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French Language Declaration 



POUVOIRS: En tant que I'inventeur cite, je designe par la 
presente l'(les) avocat(s) suivant(s) pour qu'ils 
poursuive(nt) la procedure de cette demande de brevet et 
traite(nt) toute affaire s'y rapportant avec I'Office des 
brevets et des marquees: (mentionner le nom et le numGro 
d'enregistrement). 



POWER OF ATTORNEY- As a named inventor, I hereby 
appoint the following attorney(s) and/or agent(s) to 
prosecute this application and transact all business in the 
Patent and Trademark Office connected therewith (list 
name and registration number) 



022850 



Addresser toute correspondance a: 



Send Correspondence to: 



Adressertout appel telephonique a: 
(nom et numero de telephone) 



022850 

Direct Telephone calls to: (name and telephone number) 

(703) 413-3000 



Nom complete de I'unique ou premier inventeur ^ ^ 


Full name of sole or first inventor 

Patrice TOILLON ^ I 


Signature de I'inventeur Date 1 


\S Inventor's signature ^ Date 

{ aKw~TV« It* - d a <f ;X w 


Domicile 


Residence 

48, rue Schnapper F-78100 Saint Germain en Laye, 
FRANCE y=>/? (/ 


Nationality 


Citizenship 1 
France 


Adresse Postale 


Mailing Address 
Same as above 




Nom complete du second co-inventeur, le cas echean ^Jf^ 


Full name of second joint inventor, If any 
Eric TIRIOU 


Signature de I'inventeur Datum 


\/ Second inventor's signature ^ Date 


Domicile 


Residence 

34, rue Victor Hugo, F-781 14 Magny les Hameaux, 
FRANCE yzTf? y/ 


Nationality 


Citizenship 1 > A " 
France 


Adresse Postale 


Mailing Address 
Same as above 


(Fournir les memes renseignements et la signature du 
troisieme co-inventeur et de tout co-inventeur 
supplemental.) 


(Supply similar information and signature for third and 
subsequent joint inventors.) 
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French Language Declaration 



Nom complet du troisieme co-inventeur, le cas echeant ^£ 


' ^ Full name of third joint inventor, If any 
Marc PEYTHIEUX 


Signature de 1'inventeur Date 


/"* Third inventor's signature Date 


Domicile / 


Residence ' 

9, Residence des Quinconces F-91190 Gif sur Yvette, 
FRANCE ' 


Nationality 


Citizenship F/OC 
France ' 


Adresse Postale 


Mailing Address 
Same as above 




Nom complet du quatrieme co-inventeur, le cas echeant 


Full name of fourth joint inventor, If any 


Signature de I'mventeur Date 


Fourth inventor's signature Date 1 


Domicile 


Residence 


Nationality 


Citizenship 


Adresse Postale 


Mailing Address 




Nom complet du cinquieme co-inventeur, le cas echeant 


Full name of fifth joint inventor, If any 


Signature de 1'inventeur Date 


Fifth inventor's signature Date 


Domicile 


Residence 


Nationality 


Citizenship 


Adresse Postale 


Mailing Address 




Nom complet du sixieme co-inventeur, le cas echeant 


Full name of sixth joint inventor, If any 


Signature de 1'inventeur Date 


Sixth inventor's signature Date 


Domicile 


Residence 


Nationality. 


Citizenship 


Adresse Postale 


Mailing Address 



(Fournir les memes renseignements et la signature du (Supply similar information and signature for seventh and 

septieme co-inventeur et de tout co-inventeur subsequent joint inventors.) 

supplemental.) 
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